I have a spreadsheet that was provided to me of users to import to a new site I have built. I was provided with the password in MD5 hash form. I suspect if I insert this into the password field in the database, since it is MD5 it will still match their password when the user tries to login on the new system. Is this a correct assumption?

I also have a large amount of metadata for each user that needs to be inserted.

Because I want to insert the md5 string, and not the password text and the extra custom meta fields, I don't think I can use wp_insert_user.

Does anybody have experience with this type of thing? I am thinking I will just do something directly in mysql, rather than hack up a WP plugin, any suggestions would be appreciated though.

3 Answers
3

WordPress used MD5 for password hash in the past, but had since moved on to more secure phpass. The good thing is that it retains backwards compatibility - if user had old MD5 hash then it will be checked as such and automatically re-hashed and re-saved using current algorithm, see wp_check_password().

You are correct that you cannot use wp_insert_user() because it expect plain text password.

I suspect if I insert this into the password field in the database, since it is MD5 it will still match their password when the user tries to login on the new system. Is this a correct assumption?

Check the sourcecode of your wordpress version FIRST to verify that. It might be that this is not the default behavior. So check the source and do a quick hack of your install (put it under GIT , so you have UNDO while editing core (it's fast and you start with git init). This won't kill a single kitten but boost your workflow BTW).

So after you have fixed your login problem (Solution: Add a check against the MD5 hash, if matching, regenerate the password hash with phpass) you can think about the metadata problem.

My answer does not cover it much. I mean, just add the data somehow, it should be trivial. Just add it. If the data is incompatible with your site, you might need to extend your site first, so whatever the deal is, I'm pretty sure you get it managed.

Tip: Insert into the database directly. Just do a MySQL query that does the job. Don't wiggle around too much with wordpress PHP code. Wordpress only knows the MySQL database to store the data. So if you control the data, you control wordpress ;).

I had this problem as well. I ended up solving it by importing MD5 passwords as plaintext, and then changing Wordpress authentication to put the passwords through an MD5 hash before checking them.

My specific approach:

I used a plug-in to import users from a CSV which included their MD5-ed password. This left me with a database full of users unable to login, because their plaintext password was now "5f4dcc3b5aa765d61d8327deb882cf99" instead of "password".

Next, I wrote a plug-in that included tiny changes to wp_hash_password() and wp_check_password() to cause MD5 hashing to be the first step of all password checks. So, when they enter "password", WordPress checks against "5f4dcc3b5aa765d61d8327deb882cf99" instead, and so the authentication check succeeds. I still get the same phpass encryption, the only difference is that I'm never giving it raw plaintext to encrypt.

This was accomplished by copy-and-pasting these functions from pluggable.php into a new plug-in and modifying them to wrap the provided plaintext passwords in md5().

Each function had only one change from the original implementation; this line from function wp_hash_password():

return $wp_hasher->HashPassword( trim( $password ) );

to:

return $wp_hasher->HashPassword( md5 ( trim( $password ) ) );

and this line from function wp_check_password():

$check = $wp_hasher->CheckPassword($password, $hash);

to:

$check = $wp_hasher->CheckPassword(md5($password), $hash);

With this approach, users get to transparently keep their passwords, and instead of compromising on security, we get to use an ever-so-slightly more secure version of the out-of-the-box authentication scheme.